How Hackers Will Defeat Google's Smartphone Security Scheme

Thanks to Google, the cloud just got one step more secure. Unfortunately, many of the cybercriminals who make a living exploiting the cloud's weaknesses were already more than one step ahead.

On Monday, Google announced what the security industry calls "two-factor authentication" for its enterprise software-as-a-service applications. Here's how it works: When you log into Gmail or other Google apps, the service asks for not just a password, but also a randomly-generated number sent to an app on your smartphone. That makes it much harder for someone who steals your password to gain access to your data without physically stealing your phone, too. Google says it's planning to make the system open-source and release it for other companies to use, potentially sparking a new wave of two-factor authentication for online apps like email and banking.

That's great news for the security of the Web's services. But it's far from a cure-all for what ails the Internet.

Here's what encryption guru Bruce Schneier wrote about two-factor authentication on his blog: "Two-factor authentication isn't our savior...It solves the security problems we had ten years ago, not the security problems we have today." And that was in 2005.

In that half-decade old essay, Schneier outlined two techniques for circumventing two-factor authentication that were becoming common then, and are far more common now:

Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time.

Trojan attack. Attacker gets Trojan installed on user's computer. When user logs into his bank's website, the attacker piggybacks on that session via the Trojan to make any fraudulent transaction he wants.

The trick of both techniques is that they don't store the stolen authentication information, but hijack it in real-time to pass through security safeguards along with the user. Both have been usedfor years.

Google product manager Travis McCoy concedes that real-time phishing and Trojan attacks can't be stopped by two factor authentication. "We want to be very clear about what we are and aren't protecting against," says McCoy. "We don't want users to think we're protecting against all attacks on the Internet." He reminds users that in addition to Google's cell phone authentication trick, they should still use a secure browser--he names practically every one but Microsoft Internet Explorer--and run antivirus software.

But McCoy also argues that two-factor authentication will nonetheless take a big bite out of cybercrime. "We asked ourselves what was the single thing we could target that possesses the greatest security risk? All the data says that usernames and passwords are the weak link in the security chain."

McCoy is right: No technology can offer absolute security, and two-factor authentication could be a huge improvement to the security of the cloud. To skirt Google's two-factor authentication system, hackers will have to exploit users' accounts in real-time. That makes it nearly impossible to steal a user's details and then sell them to another criminal via an underground forum, as is often the case in the modern cybercriminal economy.

But Schneier's pessimistic take is right, too. As he wrote five years ago, "Early adopters of this technology may very well experience a significant drop in fraud for a while as attackers move to easier targets, but in the end there will be a negligible drop in the amount of fraud and identity theft." In other words, other online applications run by companies including IBM and Microsoft will likely be forced to adopt simple two-factor authentication or risk inheriting the lazy cybercriminals who stop targeting Google's users. But once the industry as a whole has implemented the technique, don't expect your cell phone alone to keep your data safe.

Update: When I reached Bruce Schneier to hear his thoughts about Google's security update, he was far more positive about the new features than his 2005 take on two-factor authentication might have suggested. His reasoning: while two-factor authentication won't pose much of a hurdle to hackers trying to access someone's bank account, it will be far more effective for protecting email and other online apps. Unlike in banking, gaining real-time access to email doesn't offer enough of a reward to spawn an "arms race" of clever security circumventions, he says.

"It's not a panacea. Nothing is," Schneier cautions. "But there isn't a better solution. So good for Google for doing it."